Can your management system satisfy your SOx requirements?

There has been much talk in recent years about the need for management systems to become truly aligned to business needs, and not simply bolted-on. Companies need a system that adds real value, not just cost, to operations. This article looks at how ARM is using Lloyd’s Register Quality Assurance’s (LRQA) Business Assurance approach to provide support for their Sarbanes-Oxley Act (SOx) attestation. 

ARM Holdings plc, the FTSE 250 and NASDAQ-listed company involved in the research and development of RISC based microprocessors and systems has developed a robust yet practical management system. The ARM management system (AMS) not only helps to run the business but has given rise to embedded business processes that provide data and information to help meet both the ISO 9001 quality management system standard and more recently, US legislation such as Sarbanes-Oxley.

The story starts back in the year 1999 when senior management decided they needed a management system as a vehicle to facilitate business change in an environment of significant growth. While there was no direct customer demand at the time, they took the decision to use the emerging ISO 9001:2000 standard and subsequently become independently certified by LRQA.

In line with the principles of the standard, ARM developed its management system taking a process-based approach that covered all core operations and support functions such as finance, legal, IT and marketing. This was underpinned by a full education and awareness programme and extensive use of measures to monitor and improve performance.  As the management system represented a framework for all business processes, it was possible to cover all processes in all locations and so rapidly achieve global certification. The same model is now deployed throughout the organisation including all new acquisitions and is simply seen as ‘business as usual’.

Director of Quality Simon Gross, who was responsible for introducing the system and gaining certification explains: “The emphasis of the system is firmly on business and risk management rather than prescriptive instruction.  Our entire approach is based around the need to add value and, to this end, we’ve introduced change only where improvement was needed. In this way, the system gives business benefits and importantly, receives continuing senior management support.”

First | Previous | Next | Last

Sarbanes-Oxley (SOx) and Business Assurance

SOx was introduced in the USA to rebuild public trust in the accounting and financial reporting practices of public companies. Section 404 of the SOx legislation requires management to take responsibility for implementing effective “internal controls” over the financial reporting process. Internal controls are simply processes designed to provide reasonable assurance that a defined objective is achieved. The COSO* framework of 1992 is the preferred framework through which internal control systems can be assessed and

improved such that they meet the SOx requirements. As with many such standards COSO is grounded on senior management commitment, often referred to as “tone from the top”. The framework is built up from five components: control environment; risk assessment; information and communication; control activities and monitoring. The scope of the framework is wider than just the use of internal controls as it aims to address efficiency and effectiveness of operations, compliance with regulatory and statutory requirements as well as control over financial reporting.

Assessing how well these COSO components are met in practice can be difficult because they are subjective in nature. Controls put in place to provide assurance over these less tangible aspects are known as “entity level controls”. ARM looked widely across the business when considering the scope for these and developed a comprehensive checklist of control objectives. Using this checklist, ARM then mapped these objectives to pre-existing business processes and controls to create its own set of entity level controls. The scope of these controls includes the ARM Management System (AMS) and the Business Performance Reviews (BPR) which ensure its adequacy and effectiveness.  Operational planning, IT systems, approvals processes and finance as well as customer satisfaction and cost management are covered. Also included are risk management, training and competency, communications, auditing, ethics policy and the code of conduct. The wide scope of these entity level controls meets not only the needs of SOx but also the wider needs of the business.

As it had already been confirmed that the business processes satisfied the requirements of ISO 9001, it was possible for LRQA’s assessor, Dave Wynn to create a high-level mapping between the topics covered by the LRQA assessments and ARM’s entity level controls.  

“For a number of years LRQA had been working closely with ARM piloting a themed approach to assessments which saw the company going beyond mere compliance with standards, and focusing more on business needs and plans. This saw LRQA conducting themed assessments, for example, on product delivery extending to suppliers and customers; sales and marketing, and ARM’s core project/product management processes.

“The net result of this activity was that the introduction of SOx entity level audit criteria was trialled as a themed assessment and so covered within the scope of the regular six-monthly assessment programme,” comments Dave Wynn.

The introduction of themed assessments has been one of the more significant changes to the way in which LRQA works with its clients and an integral part of the ‘business assurance’ approach. The primary concept underpinning this new ‘business assurance’ approach has been the flexibility and freedom for companies to manage broader business risks, while providing stakeholders with the assurance and confidence given by independent certification.

The business assurance approach taken has enabled the assessor to use the visits to encompass any additional elements as required by the client. The mapping developed by Dave Wynn consisted of a limited number of topic areas used to direct the interviews at all levels, including senior management. These areas included a diverse range including topics such as integrity and ethical values; rewards and recognition; risk management and IT processes. It was also necessary to include additional checks on the IT processes which saw the adoption of the relevant parts of the ISO/IEC 27001 information security standard. The results of the interviews and assessment of the data were analysed against the mapping, which validated management responses to the entity level controls and led to a comprehensive LRQA report.

First | Previous | Next | Last

PricewaterhouseCoopers’ acceptance of LRQA reports

The LRQA report was successfully used in 2006 and accepted by ARM’s financial auditors, PricewaterhouseCoopers, as evidence that ARM’s business processes are functioning as intended and that these processes are being properly monitored. It has given the auditors confidence that the controls implemented by the business are well designed and operate effectively.

PricewaterhouseCoopers’ lead audit partner found the approach taken to entity level controls to be highly innovative and efficient and was impressed that this aspect of SOx compliance quickly became  ‘business as usual’ within ARM’s day-to-day operations rather than a cumbersome bolt-on exercise done purely for the sake of the SOx attestation.

He explains: “Most companies have well documented policies and procedures in place, but struggle to demonstrate how they are fully integrated into the business. The testing and reporting LRQA performed as part of their regular assessment visits gave ARM valuable data on the effectiveness of their policies and communications. This not only provided powerful evidence that compliance was monitored, but also comprehensive action points which were fed back to shape future policies and communications.”

“ARM is a very dynamic business and any system of control has to be flexible and dynamic too, in order to remain effective. Their insistence that controls are genuinely of use in managing the business means that ARM’s SOx controls are, for the most part, deeply embedded in the organisation’s culture. This demonstration of the strength of the company’s entity level controls means that ARM is able to place a high degree of reliance on controls in this area and so is well-placed, under the new auditing standard, AS 5*, to streamline its transaction-level testing in other areas. Many other organisations would be envious of what ARM has achieved in this space,” he concludes. 

Benefits

While many organisations have struggled to realise the goal of truly aligning their management systems with effective business operations, this hasn’t been an issue with ARM. The AMS was developed to support the running of the business and to give timely, relevant data to support senior management decision-making and not just to satisfy the requirements of any particular standard or scheme.

This can be demonstrated with the use of a ‘corporate calendar’ driven by the schedule of board meetings, committee meetings and the requirements of quarterly reporting, “The calendar is a tool visible to all employees and managers that is used to ensure the built-in processes actually work on the ground. It is about facilitating key business processes, using the measures within these processes and the internal audit programme to identify opportunities for continuous improvement and to ensure that any improvement actions raised are  owned, tracked and reviewed so that the required business benefits are realised” comments Simon Gross.

And it was the AMS that was to provide the solution when Simon was tasked with ensuring ARM complied with SOx legislation. “We knew from the US experience that organisations were typically drafting in a project team to gain compliance. But then they struggled with what to do in year two once the teams had gone back to their day jobs, without the necessary processes having been embedded into business as usual.

“We already had the mechanisms to deploy, monitor and improve processes. We just had to avoid falling into the trap of writing additional controls simply to satisfy SOx rather than utilising the existing framework and embedding appropriate controls into what we already do.”

This model of continually adapting the AMS without changing its primary function has meant that the company is in a position to absorb the requirements of new and impending legislation more easily, including the risk-based approach that has been clarified in accounting standard, AS 5*.

First | Previous | Next | Last

Partnering with LRQA

In a little over six years, Simon and his team have been able to develop an entirely lightweight, flexible system. With senior management support and an ‘open doors’ approach, the AMS has evolved into an invaluable business tool - one that has been supported and guided by LRQA from the early days.

Dave Wynn explains. “There aren’t any barriers to us doing something that could offer potential benefit somewhere down the line. I have been out to visit customers, suppliers and distributors as part of LRQA’s themed assessment approach. I was investigating how the company’s management system was seen by its key stakeholders. There simply wasn’t a problem with this. And the reason for this openness is that ARM is concentrating on adding value right down the line and their stakeholders trust us to do this.”

“I think all assessors will agree with me when I say that where an organisation’s management system has this very clear link to the business, they are no longer doing quality assurance – it’s business assurance,” concludes Dave.

Simon continues. “An LRQA assessment is assurance that our management system is effective. And that we are continuing to improve, that we are identifying and prioritising the right things. We are continuing to monitor and develop our processes with the help of the LRQA themed assessment approach.

“Importantly, the six-monthly surveillance visits provide us with a keen focus to deliver results in a timely manner. And we look to our assessor not only to be an independent eye but to also focus on opportunities for improvement.

“For us, business assurance is about bringing under one umbrella the whole plethora of standards without necessarily having a wall of ‘badges.’ It is pick-and-mix as is appropriate to our business needs. The AMS is contributing already to SOx compliance. The approach that we continue to undertake is more suited to the revised principles of AS 5* and can be adapted to provide a good basis for any future standards or legislation. For us, it really is business as usual,” he concludes.

Footnotes:

*COSO – The Committee of Sponsoring Organisations of the Treadway Commission published ‘Internal Control - Integrated Framework’ in 1992. COSO was important because it emphasised the responsibilities of management for control. It also set definitions for what was included within internal control and the key components of control.

*AS 5 – Public Company Accounting Oversight Board Auditing Standard 5.

First | Previous | Next | Last

To learn more about LRQA products and services, contact our business advisors on 0800 783 2179

Page last modified on 29 November 2007

Article can be found online at:
http://www.lrqa.co.uk/help/casestudies/arm/

Care is taken to ensure that the information herein is accurate and up-to-date. However, LRQA accepts no responsibility for inaccuracies in, or changes to, such information.

© Lloyd's Register Quality Assurance 2008